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A METHOD FOR AUDITING A DATABASE AND SYSTEM 
FOR CARRYING OUT SUCH METHOD 



5 Background of the Invention 

The subject invention relates to the verification and auditing of records in a 
database. More particularly, it relates to verification and auditing of records relating to 
various users who can access or update the records through any of a plurality of modules. 

10 With the explosive growth of digital communications systems where users can 

remotely access various types of accounts through any of a plurality of devices have 
become common. Perhaps the best known of such systems are the ubiquitous ATM's. 
Another such system is ClickStamp Online marketed by the assignee of the subject 
invention to transmit digital postal indicia in response to requests from mailers, which will 

15 be described further below. Commonly, in such systems a central server maintains a record 
or records of transactions by each user in a database. Clearly, unauthorized alteration of 
such records can cause large losses for system operators or users. 

Thus it is an object of the subject invention to provide a method for generating and 
maintaining audit data which can be used to audit and verify such databases. 

20 

Brief Summary of the Invention 

The above object is achieved and the disadvantages of the prior art are overcome in 
accordance with the subject invention by means of a method, and a database system for 
25 carrying out that method. The system includes: a data store storing a database including a 
plurality of records; a server maintaining the records; and a plurality of independent 
modules providing access to said records. In accordance with the method of the subject 
invention the modules are programmed to maintain a set of additive audit data in each 
module and increment a set of audit data maintained in one module when a record is 
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accessed through that module and the server is programmed to sum the sets of audit data to 

generate system audit data and verify the database's integrity against the system audit data. 
In accordance with one aspect of the subject invention the server is further 

programmed to receive user requests for access and send the user request and the requested 
5 record to a selected one of the modules, and the modules are further programmed so that 

the selected module updates the requested record in accordance with the request. 

In accordance with another aspect of the subject invention the modules are further 

programmed so that the selected module incorporates encrypted information in the record 

to prevent generation of fraudulent records. 
10 In accordance with another aspect of the subject invention the request includes a 

request for a digital postal indicium and the modules are further programmed so that the 

selected module generates and returns to the requesting user a digital postal indicium in 

accordance with the request, and updates the requested record in accordance with the 

request. 

15 In accordance with still another aspect of the subject invention each of the modules 

is secured against tampering. 

In accordance with still yet another aspect of the subject invention the sets of audit 
data comprise increments of a linear error correcting code for correcting a field of the 
records, whereby the audit data can be summed by the server to generate a system error 
20 correcting code to correct the field of the records. 

In accordance with another aspect of the subject invention the corrected field 
contains a total postage amount for the corresponding record. 

In accordance with another aspect of the subject invention the corrected field 
contains a total number of indicia dispensed for the corresponding record. 
25 Other objects and advantages of the subject invention will be apparent to those 

skilled in the art from consideration of the detailed description set forth below and the 
attached drawings. 
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Brief Description of the Drawings 

Figure 1 shows a schematic block diagram of a system for dispensing digital postal 
5 indicia in accordance with the subject invention. 

Figure 2 shows a schematic block diagram of the cryptographic modules of the 
system of Figure 1 and includes a representation of audit data stored in the modules. 

10 Figure 3 is a representation of the information content of a request for a digital 

postal indicium. 

Figure 4 is a representation of the information content of a meter record comprised 
in the database of the system of Figure 1. 

15 

Figure 5 shows a flow diagram of the operation of the server of the system of 
Figure 1 in response to a request for a digital indicium. 

Figure 6 shows a flow diagram of the operation of a cryptographic module of the 
20 system of Figure 1 in response to a request for a digital indicium. 

Figure 7 shows a flow diagram of the operation of the server of the system of 
Figure 1 in auditing the database. 

25 Detailed Description of Preferred Embodiments of the Invention 

Figure 1 shows database system 10 for providing digital postal indicia in response 
to requests from various users. System 10 is substantially similar to the ClickStamp Online 
marketed by the assignee of the subject invention with further adaptation to carry out the 
30 method of the present invention. 
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Users 12 who require a digital postal indicium send a request to server 14 through 
network 16, which can be any convenient mechanism for communication by a plurality of 
users, such as the public switched telephone network, the Internet, or a private network 

5 provided by the operator of system 10, Server 14 provides users 12 with access to meter 
record database 20 through cryptographic modules 22. Server 14 retrieves the requested 
meter record from database 20, selects an available one of modules 22, and sends the 
requested meter record and user request to the selected one of modules 22, Modules 22 
generate a digital postal indicium in accordance with the request and update the requested 

10 meter record, as will be described further below. 

Preferably, modules 22 are secured by a tamper resistant housing 24, and any other 
suitable techniques for preventing unauthorized access to modules 22 are also within the 
contemplation of the subject invention. (Housing 24 is shown as a single housing 
enclosing all of modules 22 but can also be a separate housing for each module.) 

15 While modules 22 are shown as physically separate they can also be multiple 

instances of the cryptographic software running on single computer. 

Figure 2 shows the contents of a meter record stored in database 20 in one 
embodiment of the subject invention. Such records include: a Device ID identifying the 
record, a License ID evidencing authorization to generate indicia, a Transaction ID used to 

20 synchronize refill requests, an Ascending Register storing the total mount of postage 

generated through the meter record, a Descending Register storing the remaining amount of 
postage authorized (i.e., pre-paid), a Date of Last Refill storing the date of the last pre- 
payment for postage, an Origin ZIP Code identifying the location from which the 
mailpieces bearing the generated indicia will be mailed, a Piece Count of transactions 

25 processed, a Meter Private Encryption Key used to sign the digital postal indicia generated 
through the record, and a Cryptographic Module Signature generated by the last 
cryptographic module to update the record to prevent fraudulent alteration of the record. 
Other forms of incorporation of encrypted information to prevent fraud, such as encrypting 
all or part of the record without first generating a signature hash are also within the 

30 contemplation of the subject invention. 
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Those skilled in the postage meter art will recognize that meter records contain 
substantially the same information found in conventional free standing postage meters. 

Figure 3 shows the contents of a indicium request in one embodiment of the subject 
invention. In addition to the user's identity it includes: a Device ID identifying the meter 

5 record to be used, a Postage Amount for the requested indicium, a Rate Category for the 
requested indicium, and Destination Address Data for the corresponding mailpiece. 

Figure 4 shows a more detailed schematic block diagram of a cryptographic module 
22. Module 22 includes nonvolatile memory 24 for secure storage of data, encryption 
engine 28 for performing cryptographic calculations, controller 30 for controlling the 

10 operation of module 22 and communications port 32 for communication with server 14. 

In one embodiment of the subject invention nonvolatile memory 24 stores: Device 
ID's to identify a specific cryptographic module, Device Signing Keys to generate digital 
signatures when meter records are updated, Device Encryption Keys which decrypt Meter 
Private Encryption Keys stored in meter records and Audit Data for auditing database 20, 

15 which audit data can include: Total Postage processed through the module, Piece Count 
which represents the total number of transactions processed through the module, Postage 
per ZIP and Transactions per ZIP representing the above amounts on a per Origin Zip Code 
basis, and Error Correction Code Data from which a system error correction code can be 
generated, as will be further described below. 

20 It should be noted that Audit Data is linear and can be combined by appropriate 

"summation" operations, as will be described further below, to generate system audit data 
so that modules 22 can operate independently, i.e., without need for communication among 
modules 22 for purposes of the subject invention. 

Figure 5 shows a flow diagram of the operation of server 14 in processing a request 

25 for a digital postal indicium. At 50 one of users 12 generates a request and sends it over 
network 16 to server 14. At 52 server 14 receives the request and at 54 selects the 
requested meter record from database 20 and confirms the user's authority to access that 
record. At 56 server 14 confirms that the requested meter record contains sufficient funds, 
and if not rejects the request at 60. (Details of the processing of rejected requests form no 

30 part of the subject invention.) If the requested record shows sufficient funds, at 62 server 



5 



F-100 



14 selects an available one of cryptographic modules 22 and sends the request and 
requested meter record to the selected module, and waits. At 68 server 14 receives the 
updated meter record, including updated and signed audit data, and a digital postal 
indicium in accordance with the request. At 68 server 14 stores the updated record in 

5 database 20, and at 70 sends the indicium and meter status (e.g., pre-paid postage 
remaining) to the requesting user. 

Figure 6 shows the operation of modules 22 in processing a request for a digital 
postal indicium. At 72 the selected one of modules 22 receives the indicium request and 
the requested meter record and, at 76 confirms that sufficient funds are available. If not the 

10 request is rejected at 78; again in a manner whose details form no part of the subject 

invention. At 80 the selected module constructs an indicium message having an appended 
indicium signature, which when printed in relevant part on a mailpiece will evidence 
payment of postage in the amount shown, and at 84 updates the requested meter record and 
appends a meter record signature. Generation of indicia and updating meter records is 

15 more fully described in specifications for the Information Based Indicia Program (IBIP) 
published by the United States Postal Service and further discussion is not believed 
necessary for an understanding of the subject invention.) At 86 the selected module 
updates the audit data. (Updating the postage and transaction data is a matter of simple 
addition. Updating of the error correcting code will be described further below.) At 88 the 

20 updated audit data is stored in nonvolatile memory 24, and at 90 the signed indicium 

message and signed meter record are sent to server 14 for processing as described above. 
The audit data and the indicium are transmitted to the server at the same time. The 
indicium is forwarded to customer 12 and a copy of the audit data is stored in server 22. 
While perhaps less secure than data stored in modules 22, audit data stored in server 22 can 

25 be verified against that in modules 22 and can be used, for example, when a module is off- 
line. 

Preferably, the audit data includes encrypted information to provide assurance of its 
authenticity. (As used herein the term "encrypted information" includes incorporation of a 
digital signature or encryption of all or portions of a message.) The audit data can also 
30 include time data to provide assurance that it is current. 
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Figure 7 shows the operation of server 14 in auditing database 20. At 100 server 20 
calculates the total postage dispensed and total number of transaction for database 20. In 
one embodiment this total is over the whole database. In another embodiment totals can be 
taken over each origin zip code. At 102 server 20 obtains the audit data from all of 

5 modules 22, and at 104 calculates the appropriate totals from the audit data. At 106 server 
14 compares the totals determined from the database with the totals determined from the 
audit data, i.e. compares the total postage and number of transactions across the database 
with the totals across cryptographic modules 22. At 1 10 server 14 determines if the totals 
agree and, in one embodiment, if the totals agree reports a successful audit at 1 12. 

10 If the totals are not equal or, in other embodiments where the operator of server 14 

wishes to assure that amounts have been properly distributed over meter records even if the 
overall totals are correct, at 1 14 server calculates a system error correction code by 
appropriately "summing" the Error Correction Code Data from each of modules 22. 
The system error correcting code can be any linear error correcting code and is 

15 preferably an example of the known Reed-Solomon code. In one embodiment of the 
subject invention: 

a prime number p = 10,000,000,019 
N = 38,167,939, and 
co = 245, so that 
20 cd n = 1 mod p 

As is known, generator function for an (N, N-2t) Reed-Solomon code is given by: 
g(x) = (x-co- 1 Xx-Q 2 )...(x-co- 2t ) 

25 The resulting code can detect up to 2t errors, correct up to t errors and can be used 

for up to N-2t meter records. (By "error" herein is meant a code word, e.g. a field, with 
one or more incorrect entries .) 

The total postage dispensed by system 10 can be expressed as a polynomial: 
30 d(x) = A 0 + xAi + ...+ x N_2t " 1 A N . 2t -i 
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where A M is the value of the Ascending Register for meter record M. ( If M' does 
not exist Am } = 0) The corresponding error correction code polynomial is: 
e(x) = -x 2t d(x) mod g(x) 
and the error correcting code is the set of 2t coefficients of e(x). 

5 

When a selected one of modules 22 dispenses postage in the amount P for meter 
record M the increment to the Error Correction Code Data for that module is -x 2t+M P mod 
g(x) 

If t = 1000 then each of modules 22 will keep a set of 2000 partial sums (mod g(x)) 
10 of the coefficients of e(x). Similar functions can be developed for the total number of 
transactions in a substantially identical manner. 

At 1 14 server 14 will sum Error Correction Code Data from each of modules 22 
mod g(x) to generate e(x) (and the error correcting code for the number of transactions). 

At 1 18 server 14 applies these codes in a conventional manner to generate corrected 
15 meter records and at 120 verifies if the discrepancy identified at 1 10 is correctable by 
determining if the corrected meter records and sums determined for the total postage and 
number of transactions agree. If so at 122 server 14 reports the corrections to the database 
and at 126 investigates the discrepancy. Otherwise at 128 server 14 reports an 
uncorrectable discrepancy. Details of these reporting and investigating functions form no 
20 part of the present invention and will not be discussed further here. 

The detailed design of systems such as system 10 and cryptographic modules such 
as modules 22 is well within the abilities of those skilled in the art, as is the program 
coding needed to carry out the functions described above and further description of such 
detailed design and coding is not believed necessary for an understanding of the subject 
25 invention. 

The embodiments described above and illustrated in the attached drawings have 
been given by way of example and illustration only. From the teachings of the present 
application those skilled in the art will readily recognize numerous other embodiments in 
accordance with the subject invention. For example bank records, which are accessed 
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through ATM's can be audited using the subject invention. Accordingly, limitations on the 
subject invention are to be found only in the claims set forth below. 
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What is claimed is: 

1 . A method for auditing a database comprising a plurality of records, said records 
each being accessible through at least one of a plurality of independent modules, said 
method comprising the steps of: 

a) maintaining a set of additive audit data in each of said modules; 

b) controlling said modules so that each module increments a set of audit 
data maintained in said module when a record is accessed through said module; 

c) summing said sets of audit data to generate system audit data; and 

d) verifying said database's integrity against said system audit data. 

2. A method as described in claim 1 comprising the further steps of: 

a) sending a user request for access to a record and said requested record to 
a selected one of said modules; and 

b) said selected module updating said requested record in accordance with 

said request . 

3. A method as described in claim 2 wherein said selected module incorporates 
encrypted information in said record to prevent generation of fraudulent records. 

4. A method as described in claim 3 wherein said request 

includes a request for a digital postal indicium and comprises the further steps of: 
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a) controlling said selected module to generate and return to said requesting 
user a digital postal indicium in accordance with said request; and 

b) controlling said selected module to update said requested record in 
accordance with said request. 

5. A method as described in claim 2 wherein said selected module incorporates 
encrypted information in said audit data to authenticate said audit data. 

6. A method as described in claim 2 wherein said selected module incorporates 
time information in said audit data. 

7. A method as described in claim 1 comprising the further step of providing 
security against tampering for each of said modules. 

8. A method as described in claim 1 wherein said sets of audit data comprise 
increments of a linear error correcting code for correcting a field of said records, whereby 
said audit data can be summed to generate a system error correcting code to correct said 
field of said records. 

9. A method as described in claim 8 comprising the further steps of: 

a) sending a user request for access to a record and said requested record to 
a selected one of said modules; and 

b) said selected module updating said requested record in accordance with 

said request . 

10. A method as described in claim 9 wherein said request 

includes a request for a digital postal indicium and comprising the further steps of: 
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a) controlling said selected module to generate and return to said requesting 
user a digital postal indicium in accordance with said request; and 

b) controlling said selected module to update said requested record in 
accordance with said request. 

1 1. A method as described in claim 10 wherein said corrected field contains a total 
postage amount for the corresponding record. 

12. A method as described in claim 10 wherein said corrected field contains a total 
number of indica dispensed for the corresponding record. 

13. A method as described in claim 8 wherein said sets of audit data further 
comprise arithmetic totals for values stored in said field of said records, whereby arithmetic 
sums of said values across said modules can be compared with arithmetic sums across said 
records, whereby numbers of errors greater than the number which can be detected by said 
system error correcting code can be detected. 

14. A method as described in claim 13 wherein said field contains a total postage 
amount or a total number of indica dispensed. 

15. A database system comprising: 

a) a data store storing a database comprising a plurality of records; 

b) a server maintaining said records; 

c) a plurality of independent modules providing access to said records; 

wherein 
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d) said modules are programmed to maintain a set of additive audit data in 
each of said modules and increment a set of audit data maintained in one of said modules 
when a record is accessed through said one module; 

e) said server is programmed to sum said sets of audit data to generate 
system audit data and verify said database's integrity against said system audit data. 

16. A system as described in claim 15 wherein: 

a) said server is further programmed to receive user requests for access and 
send said user request and said requested record to a selected one of said modules; and 

b) said modules are further programmed so that said selected module 
updates said requested record in accordance with said request . 

17. A system as described in claim 16 wherein said modules are further 
programmed so that said selected module incorporates encrypted information in said record 
to prevent generation of fraudulent records. 

18. A system as described in claim 16 wherein said selected module incorporates 
encrypted information in said audit data to authenticate said audit data. 

19. A system as described in claim 16 wherein said selected module incorporates 
time information in said audit data. 

20. A system as described in claim 17 wherein said request includes a request for a 
digital postal indicium and wherein said modules are further programmed so that said 
selected module generates and returns to said requesting user a digital postal indicium in 
accordance with said request; and updates said requested record in accordance with said 
request. 



13 



F-100 



21 A system as described in claim 15 wherein each of said modules is physically 
secured against tampering. 

22. A system as described in claim 15 wherein said sets of audit data comprise 
increments of a linear error correcting code for correcting a field of said records, whereby 
said audit data can be summed by said server to generate a system error correcting code to 
correct said field of said records. 

23. A system as described in claim 22 wherein said modules are further 
programmed so that said selected module incorporates encrypted information in said 
record to prevent generation of fraudulent records. 

24. A system as described in claim 23 wherein said request includes a request for a 
digital postal indicium and wherein said modules are further programmed so that said 
selected module generates and returns to said requesting user a digital postal indicium in 
accordance with said request; and updates said requested record in accordance with said 
request. 

25. A system as described in claim 24 wherein said corrected field contains a total 
postage amount for the corresponding record. 

26. A system as described in claim 24 wherein said corrected field contains a total 
number of indicia dispensed for the corresponding record. 

27. A system as described in claim 22 wherein said sets of audit data further 
comprise arithmetic totals for values stored in said field of said records, whereby arithmetic 
sums of said values across said modules can be compared with arithmetic sums across said 
records, whereby numbers of errors greater than the number which can be detected by said 
system error correcting code can be detected. 
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28. A system as described in claim 27 wherein said field contains a total postage 
amount or a total number of indicia dispensed. 
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Abstract of the Disclosure 

A method for auditing a database records and a system applying that method. 
Database records are accessed through a plurality of modules. A particular transaction may 
be processed through any module. Each module maintains partial audit data reflecting 
transactions processed through that module. Data from all modules is appropriately 
"summed" with an additive operation such as arithmetic addition or modular addition to 
generate system audit data. In one embodiment, the system audit data includes a linear 
error correcting code. In another embodiment, the system dispenses digital postal indicia. 
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States Code and that such willful false statements may jeopardize the validity of the application 
or any patent issued thereon. 
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Pierce 
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Perry 
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A. 
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Darien 


State 
CT 


Citizenship 
USA 


Post Office 
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Street Address 
65 Relihan Road 


City 
Darien 


State 
CT 


Zip Code 
06820 
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Kevin 
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Fairfield 


State 
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USA 
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State 
CT 
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